Monday, February 5, 2007

Are IP addresses "Personal Data"?

I worked with other privacy professionals in the European Privacy Officers Forum to answer the question: “Are IP addresses Personal Data?” A simple question doesn’t always have a simple answer. We concluded that the answer depends on the context. We concentrated specifically on the issue of ‘identifiability’ and where the dividing line is drawn between “personal data” and ”anonymous data”.

Personal data is very broadly defined in Article 2 of the Directive as “any information relating to an identified or identifiable natural person…”. Where this definition is applied unqualified then it may be interpreted in such a way that data will remain ‘personal’ and subject to the full remit of the law if individuals remain in any way identifiable. We believe that the concept of personal data should rather be defined pragmatically, based upon the likelihood of identification. In our view, it should not be the case that an organisation has to be sure that there is no conceivable method, however unlikely in reality, by which the identity of individuals can be established. This is a highly impractical approach, usually requiring considerable resource to be expended on disproportionate statistical analysis. The responsibility of organisations is to ensure that effective safeguards are put in place to prevent the data from being processed in such a way that it leads to identification. The rights, freedoms, and legitimate interests of individuals can more than adequately be protected if data is processed in such a way that all means likely reasonably to be used to identify the said person will fail. In making judgements about whether information is personal data, an organisation should consider the following factors:

1. How that data could be matched with publicly available information, analysing the statistical chances of identification in doing so;
2. The chances of the information being disclosed and being matched with other data likely held by a third party;
3. The likelihood that ‘identifying’ information may come into their hands in future, perhaps through the launch of a new service that seeks to collect additional data on individuals;
4. The likelihood that data matching leading to identification may be made through the intervention of a law enforcement agency, and
5. Whether the organization has made legally binding commitments (either through contract or through their privacy notice) to not make the data identifiable.

Considerations on all these issues are of course contextual, based upon an assessment on a case-by-case basis of the likely chances that identification may occur in any reasonably foreseen set of circumstances. In terms of ‘reasonableness’ or ‘fairness’, an additional aspect of this assessment may involve consideration as to the sensitivity of the information and any potential harm that could arise for individuals if data is later made identifiable.

However, some Member States, such as Belgium, Sweden and France, have interpreted data protection law to mean that if someone can be identified from certain data, no matter how technically or legally difficult it is to ascertain the identity of the physical person from such data, then the data is deemed to be ‘personal data’.

We suggest that a significant step can be taken in solving this issue by providing qualifying guidance on the limits of ‘personal data’. This should be pragmatic and emphasise that identification must be subject to the reasonableness standard. For example, a definition such as that given in §3(6) of the German Federal Data Protection Act could be used as a basis for this interpretation:
“Depersonalisation means the modification of personal data so that the information
concerning personal or material circumstances can no longer or only with a
disproportionate amount of time, expense and labour be attributed to an identified or
identifiable individual.”

The UK has adopted a pragmatic position: data are deemed personal if the individual to whom they relate is identifiable “from those data and other information in the possession or likely to come into the possession of the data controller” UK Data Protection Act 1998, section 1(1). As long as there is little or no chance of disclosure by the controller to a third party of information that could lead, in combination with data held by that person, to re-identification of individuals, then this approach seems more than reasonable.

The regulatory approach to IP addresses also illustrates the dilemma that the Directive’s sweeping definition of ‘personal data’ can cause. According to the stated position of the Working Party, “IP addresses attributed to Internet users are personal data and are protected” by the Directive. Article 29 Working Party, The Use of Unique Identifiers in Telecommunications Terminal Equipments: the Example of IPv6, Opinion 2/2002, WP 58, 10750/02/EN/Final, at 3. The Working Party reasoned that:

“data are qualified as personal data as soon as a link can be established with the identity of the data subject (in this case, the user of the IP address) by the controller or any person using reasonable means. In the case of IP addresses the ISP is always able to make a link between the user identity and the IP addresses and so may be other parties, for instance by making use of available registers of allocated IP addresses or by using other existing technical means”.
The Working Party have assumed that if an IP address is identifiable by one company
(e.g., an ISP) it is personal data as far as all other companies are concerned, even if
they have no access to the information that permits an association to the individual.
But this assumption is very questionable. ISPs typically do not divulge IP account
names. Indeed, many Member States have interpreted Article 6 of the 2002 Electronic Communications Data Protection Directive as prohibiting ISPs from divulging user information connected to IP addresses. If a third party cannot receive assistance from an ISP in associating an IP address with a particular user, the IP address is not personal data as far as the third party is concerned. From the third party’s perspective, the IP address is anonymous.

It is of note that this more pragmatic position is supported by jurisdictions with data protection legislation outside Europe, for example, Hong Kong. In May 2006, in a written reply to a member of the Legislative Counsel , the Secretary for Home Affairs (Dr Patrick Ho), outlines a policy position on IP addresses similar to that advocated above:

"An Internet Protocol (IP) address is a specific machine address assigned by the web surfer's Internet Service Provider (ISP) to a user's computer and is therefore unique to a specific computer. An IP address alone can neither reveal the exact location of the computer concerned nor the identity of the computer user. As such, the Privacy Commissioner for Personal Data (PC) considers that an IP address does not appear to be caught within the definition of "personal data" under the PDPO…” http://www.info.gov.hk/gia/general/200605/03/P200605030211.htm

While exact location and/or the particular user identity may not be required to qualify the IP address as personal data, Mr. Ho’s point that the IP address only identifies a machine is important. In fact, this raises a slightly different, but associated, aspect of the concept of identifiability. In determining whether an IP address can be considered an item of personal data in itself, consideration should be given to the fact that the number is not allocated to a natural person but rather to an item of networked equipment. Data generated through the use of such equipment may be the result of intervention by a number of individuals, perhaps the members of an extended family each making use of a home pc, a whole student body utilising a library computer terminal, or potentially thousands of people purchasing from a networked vending machine. We should note that the number of internet-connected devices is set to explode in the coming years. To illustrate the point, it is envisaged that in the future every light bulb will have an IP address, to turn it on and off, and to send a signal when it needs to be replaced. In fact, the logic of this argument could be applied to a variety of unique identifiers that are not necessarily associated with a particular natural person, for example, RFID numbers. Clearly the more divorced the use of such a number is from the identity of a single natural person, the less strong the argument for considering such ‘identifiers’ as an aspect of personal data.

Whether or not these identifiers are personal data will turn on the context in which they are collected and how they are stored and processed.

4 comments:

Anonymous said...

In Slovenia the Personal Data Protection Act when defining the “identifiability” strictly follows Article 2 (a) of the Directive, but than goes on with “… if the mode of identification causes no great expense, demands no great effort or doesn’t take much time”.

Not exactly a definition you could use in everyday life, especially when addressing the question whether IP could be defined as personal data.

Anonymous said...

In Slovenia the Personal Data Protection Act when defining the “identifiability” strictly follows Article 2 (a) of the Directive, but than goes on with “… if the mode of identification causes no great expense, demands no great effort or doesn’t take much time”.

Not exactly a definition you could use in everyday life, especially when addressing the question whether IP could be defined as personal data.

Suresh Ramasubramanian said...

There are, of course, differences in the degree of conservatism that ISPs or other industry players in a single country interpret the same privacy laws.

Germany, especially - as there's a fairly long tradition of activist privacy legislation such as the Holger Voss case, that led to a superior court decision prohibiting ISPs from storing any IP data at all for users on flat rate billing plan (as IP data is supposed to be only used / retained for billing purposes),

That decision further provided that users can demand that their ISP delete all IP or other data pertraining to the user. Not too surprisingly, there are several privacy organizations in Germany that have posted boilerplate demand letters addressed to various ISPs, that users can download and send their ISP.

Phil said...

Another argument why IP`s are NOT personal can be seen when they are compared to their parallel in the real world - the outbound postcode (not the full postcode which is clearly personal).

The outbound postcode is the first 4 digits of a postcode (e.g AB12) and has been classed as a non-personal identifier by ICO in Information Tribunal decision EA2007/009 and FS50169424 on 8th Jan 2008

This is because the OutBound postcode only relates a geographic region, not an actual location in the real world. Similarly, IP`s only relate to geographic regions, and it is not possible to know the actual location of a user by their IP.

In Fact due to inaccuracies with the technology for mapping the geo-location IP`s, they are often miss-identified and users ISP region is shown, not the users region. See example: http://tinyurl.com/2ec7ld

Information Tribunal decision EA2007/009
Roy Benford vs. the Information Commissioner which found that
“…part of the postal address can be given without that being sufficient to identify
any living individuals. So for example, the county and outbound postcode would clearly not be personal data”
http://tinyurl.com/2hz6hb page4 - point 13

Phil.